A fresh class-action lawsuit in federal court is putting St. Louis hospital heavyweight Ascension under the microscope, accusing the health system of quietly exposing private patient records to Google. The complaint, filed this week and seeking class status, claims the data transfers broke federal health privacy rules and opened patients up to identity theft and other potential fallout.
According to the St. Louis Post-Dispatch, the suit argues Ascension improperly shared patient information with Google and is asking for damages on behalf of everyone whose records were allegedly swept up in the process. The filing also urges a judge to greenlight the case as a nationwide class action.
Ascension runs hospitals, clinics and other care sites across the country and bills itself as a faith-based system that delivers “personalized care” to communities nationwide. As noted on Ascension's own site, its operations span a wide range of clinical and community services.
Past partnership and federal scrutiny
The new lawsuit lands in the long shadow of Project Nightingale, a 2019 collaboration that moved Ascension patient records into Google’s cloud and immediately sparked privacy questions. STAT News reported at the time that the Department of Health and Human Services’ Office for Civil Rights opened an inquiry into whether the project squared with HIPAA and other federal privacy safeguards.
What the filing says
As described by the Post-Dispatch, the latest complaint claims Ascension’s alleged data transfers went beyond routine vendor support and created a foreseeable risk that sensitive medical information could be misused. Plaintiffs are seeking both court-ordered changes to how data is handled and money damages, adding one more entry to the growing list of lawsuits and investigations tied to high-profile healthcare data incidents in recent years.
Legal implications
The HHS Office for Civil Rights is responsible for enforcing HIPAA and can launch investigations or negotiate corrective action plans, according to HHS. But those federal privacy rules generally do not give individual patients a direct right to sue for damages. That gap is why plaintiffs in cases like this typically lean on state-law theories or consumer-protection claims while federal regulators separately decide whether enforcement is warranted.
Local fallout and what's next
This is not Ascension’s only trip to the courthouse. After a May 2024 ransomware attack knocked out its MyChart portal, the system was hit with separate lawsuits that are still moving through the courts, according to ClassAction.org. If the new Google-related complaint wins class certification, it could dramatically expand the number of patients seeking damages and invite even closer attention from regulators.
The latest case remains pending and is expected to proceed on a federal docket, with more filings from both sides and potential agency interest likely to surface in the coming weeks. We will be watching as new court documents and responses land in the public record.
